When organisations consider cyber security, their focus is typically on the strength of their tooling, from next-generation firewalls and threat analytics to the latest AI-driven technologies. But while these solutions can, and do, play a critical role in security success, the vast majority of successful attacks today can still be attributed to something much simpler: human behaviour.
For many, it isn’t a lack of investment in technology that leaves organisations exposed to threats, it’s the everyday decisions or oversights made by employees such as sharing credentials over email, clicking a suspicious link while otherwise distracted, or using an unsanctioned and potentially unsecure application to increase productivity. While the heightened risk associated with these choices may be unintentional, they can often be all that a threat actor needs to lodge an attack.
Why Does Human Behaviour Still Matter in Cyber Security?
According to research from Stanford University, approximately 88 per cent of data breaches are caused by employee mistakes. While technical exploits are still employed, the majority of successful attacks begin with manipulation rather than malware.
With the help of AI tools, malicious emails are crafted to look legitimate, messages are engineered to create urgency and confusion, and links can be presented in a way that mimics trusted domains. These tactics are designed to bypass security controls by exploiting human judgement. And concerningly, even with strong perimeter defences and Zero Trust policies, these threats often succeed, because rather than access being forced, it’s granted.
But it’s not only external actors that pose a challenge. Insider threats, whether malicious, negligent, or accidental, remain a leading cause of data loss. Employees working in siloed roles or under high-pressure time constraints may misconfigure permissions, misplace devices, or share data inappropriately, often without realising the security implications. This is compounded by a gap between policy and practice, with users frequently unaware of the full impact of their decisions and actions, particularly in disconnected, fast-moving environments.
Common Pitfalls in Security Training Initiatives
While most contemporary organisations have some form of cyber security training in place, awareness alone does not necessarily equate to behavioural change in practice. Several common mistakes limit the impact of these programmes:
One Size Fits All Training
Generalised annual training programmes are common, but do little to engage staff in maintaining cyber security day-to-day, or address the specific risks most likely to occur across different business functions.
Overemphasis On Compliance
Training designed purely to meet audit requirements may tick a necessary box, but tends to lack practical relevance for staff and fails to build real-world security instincts to prepare them for encountering potential threats.
Lack of Measurement
If data isn’t collected and assessed on user behaviour or programme effectiveness (whatever its goal), it’s impossible to know whether awareness is actually translating into reduced risk
No Cultural Reinforcement
To be truly effective, security training must be supported by leadership, processes, and peer behaviour. Isolated training won’t overcome a culture where convenience is prioritised over compliance. Instead, security awareness must be continuous, contextual, and closely aligned with the organisation’s threat landscape and operational realities.
Building a Culture of Cyber Security
Creating the human line of defence necessary for minimising risk involves embedding cyber security into the culture and daily behaviours of the workforce. It’s not an overnight change, but can be worked towards by considering the following:
Tailor Training to Risk and Role
Not all employees face the same cyber threats. Developers, finance teams, HR staff, and senior leaders each encounter different risks and require training aligned with their responsibilities. Consider utilising role-based training modules and scenarios that reflect the actual threats that users are likely to encounter, such as training finance staff to detect fraudulent invoice schemes.
Simulate Real-World Threats
Simulated phishing campaigns and social engineering tests are invaluable tools for both measurement and education. When combined with post-click learning, they help users to identify suspicious behaviour in practice, and not just in theory. Ideally, regular simulations such as those testing for MFA fatigue and phishing should be run, and responses to these gathered to track staff progress and measure the effectiveness of your security training.
Make Training Continuous and Engaging
Security is not static, and neither is the training required to attempt to keep abreast of developing threats and technologies. If annual compliance sessions aren’t providing the awareness and results you’d like to see, consider moving towards more micro-scale training, tying key messages to current events and opening a dialogue where possible for learning to become continuous.
Empowerment Over Punishment
Effective programmes foster a sense of shared responsibility, rather than blame. Users should feel confident reporting suspicious activity, mistakes, or potential breaches, and in many cases, early reporting is not only essential for compliance obligations, but the best way to promptly contain an attack and begin early remediation. Create simple, well-publicised reporting channels, and encourage early reporting of both incidents and near misses.
Lead by Example
Security culture must be driven from the top. If executives and team leaders ignore policies, take shortcuts, or bypass procedures, employees are likely to do the same. Include executive participation in awareness and training initiatives and consider introducing cyber security into regular leadership meetings to keep awareness front of mind.
While technical controls become stronger and more adaptive, attackers are increasingly targeting the human layer, simply because it remains the most accessible. Building an effective security training programme isn’t just about reducing mistakes, it’s about fostering a culture where every employee becomes an active participant in protecting the organisation. The end goal is not simply awareness, but meaningful behavioural change, embedding cyber security into the everyday decisions that staff make across departments, devices, and environments.
At Threatscape, we understand the human element of cyber security. We work with organisations to design and optimise security strategy that goes beyond compliance to deliver measurable reductions in risk. Talk to us today and an account manager will be in touch to advise how we can best support your ongoing cyber security journey.
